Are Packets Arriving at My Zeek Instance?

To check that your span port is correctly feeding data to Zeek, first install tcpdump,

Installing tcpdump (This package is provided in all supported Linux distributions.)

On Debian and Ubuntu Linux, run:

sudo apt-get -y install tcpdump

On Centos, RHEL, or Fedora Linux, run:

sudo yum -y install tcpdump

then run the following, replacing {ethernet_port} with the name of your network card on which Zeek is listening:

tcpdump -i {ethernet_port} -c 100 -qtnp

If you see no output at all, press ctrl-c to kill the program and check that the network card is correctly connected to the span port on your switch.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=876